Shifting Left: How We Built a Modern AI Security Tool from a Classroom Desk

AI-Assisted Cloud Development Illustration
AI-assisted development is reshaping the security landscape

The "Production" Nightmare

It was a regular Tuesday afternoon in my 5th-semester Secure Software Systems lecture. But one line from the professor stuck with me:

Fixing a vulnerability after deployment is like changing a tire while the car is moving at 80 km/h.

That analogy hit hard.

As a cybersecurity student — and the Team Lead of the Cyber ESS Team — I started thinking about the tools we were using. They were powerful, no doubt. But they felt heavy. Slow. Intimidating. Like machinery designed for experts, not for students still learning the craft.

SDLC Security Lifecycle — Shifting Left
The SDLC — security should live at the left, not the right

And that's where the idea began.

Core Insight

If security feels like a burden, developers will avoid it. If it feels natural, they'll adopt it. We didn't want to build another tool — we wanted to change when and how developers think about security.


The Philosophy: Making Security Invisible

The idea was simple: don't force developers to go to security — bring security to them.

Familiarity Over Friction

Most tools require you to leave your workflow — open a website, paste code, wait for results. We didn't want that. We chose to build inside VS Code — the place where developers already spend most of their time. No context switching. No friction. Just write code and get feedback instantly.

Developer writing code at their workstation
Where developers live — the editor is the right place to put security

Designing for Comfort, Not Fear

Security tools often use aggressive tones — red warnings, complex terminology, and overwhelming outputs. We intentionally avoided that. Instead of a "hacker aesthetic," we went with a clean, modern UI. Because security isn't a dark art — it's just good engineering.

Making Security a Habit

Our real goal wasn't just detection. It was behavior change. If developers start seeing security feedback as part of their normal coding flow, they'll naturally write better, safer code over time.


Under the Hood: Building the AI Engine

Once the idea was clear, the real challenge began. How do you build a powerful security scanner without heavy infrastructure?

Code patterns and structure
Code at a structural level
DeepSeek AI Model
Powered by DeepSeek via Hugging Face

The AI Approach

Running large models locally wasn't realistic for a student project. So we took a smarter route. We used APIs through platforms like Hugging Face to access advanced models such as DeepSeek.

This gave us:

  • Lightweight performance — no local heavy compute required
  • Fast responses across multiple scans
  • Multi-language support: JavaScript, Python, Java, C++

It allowed us to focus on experience, not infrastructure.


The Real Challenge: The Webview

If there was one part that tested us the most, it was the Webview. We didn't want plain text output — that would defeat the purpose. We wanted something interactive and genuinely useful.

VS Code Extension Interface
VS Code as a platform — where the webview lives inside the editor

So we built:

  • Color-coded severity badges — CRITICAL, HIGH, MEDIUM, LOW
  • Side-by-side comparison of vulnerable code and suggested fix
  • Actionable solutions — not just warnings
Clean modern UI with dark mode
Design direction — clean, modern, intentionally not intimidating
Design Principle

Don't just tell developers what's wrong — show them how to fix it. The goal was to turn security findings into learning moments, not blockers.


Beyond Code: Learning to Think Differently

This project changed how we look at software development entirely.

Thinking Like a Developer vs. a Security Reviewer

As developers, we usually ask: "Does this work?"

But security forces a different question: "Can this be broken?"

We had to train ourselves to think from both perspectives. That mindset shift alone made the project worth it.

Balancing Accuracy and Simplicity

A tool that detects everything but explains nothing is useless. We focused on clarity:

  • Simple explanations over security jargon
  • Direct, copy-paste-ready fixes
  • Minimal cognitive load for the reader

A tool is only effective if people actually understand it.

— Lesson learned building AIVS

The Team Behind It: Cyber ESS

The most meaningful part of this journey wasn't the technology. It was the people.

The Cyber ESS team working on the project
Cyber ESS Team — 2023–2027 Batch, building late into the night

As a team lead, my role wasn't just to build — but to guide. We explored concepts that were completely new to many of us:

  • Secure API key handling using VS Code's global state storage
  • Asynchronous programming to keep the UI responsive during scans
  • Debugging real-world issues like regex failures and Webview rendering bugs

There were long nights. There were moments where nothing worked. But slowly, things started clicking. And that moment — when an idea becomes a working system — is something every builder should experience at least once.


Key Features We Implemented

Each feature was designed with one principle in mind: make security simple.

🔍
Real-Time Scanning
Scan any open file on demand from the Command Palette. No build step, no waiting.
📍
Line-Level Detection
Issues are pinpointed to exact lines with the vulnerable code snippet shown inline.
💡
AI-Generated Fixes
Each finding includes a developer-ready recommended fix, not just a description of the problem.
🔒
Secure Key Storage
Hugging Face API key stored once in VS Code's global state — never in plaintext.
⚠️
Severity Levels
CRITICAL · HIGH · MEDIUM · LOW — colour-coded badges for clear triage priority.
🖼
Interactive Webview
Rich side-by-side comparison of vulnerable code and suggested fix, all inside VS Code.

What We Learned Along the Way

Looking back, this project taught us far more than just coding.

01
Security Must Be Built Early
Waiting until deployment is too late. Security should start at the first line of code — a mindset, not a phase.
02
Automation is Powerful
Manual code review doesn't scale. AI helps bridge that gap by catching issues early and consistently.
03
Simplicity Wins
The best tools are not the most powerful ones. They're the ones people actually use — day after day.
04
Collaboration is Everything
A project is never just code. It's communication, alignment, and a shared vision of what good looks like.

The Bigger Vision

This project started as a classroom idea. But it showed us something bigger.

AI-assisted development is not the future — it's already here. And security tools need to evolve with it.

Cloud AI integration and the future of intelligent development
Where we're headed — continuous, intelligent, invisible security

In the future, tools like this could:

  • Run continuously and passively as you write
  • Learn from your codebase patterns over time
  • Prevent vulnerabilities before they even get typed
Final Thought

Don't wait for a job. Don't wait for the perfect idea. Don't wait until you feel "ready." If something feels broken — or unnecessarily complicated — try to fix it. That's how this project started. Not with a grand vision. Just with a simple thought: "Why does security have to feel this hard?"

Sometimes the best projects don't come from labs or companies. They come from classrooms, curiosity, and the courage to build something better.


Buvaneswaran E
Written by
Buvaneswaran E. B. & K.S Adithyan

Cyber ESS Team · 2023–2027 Batch. Third-year engineering students building security tools, IoT systems, and writing about what they learn along the way.